[CHERI CSA] Fix a crash in the sub-object representability checker.

resistor · resistor · commit dfa96d58d278 · 2025-07-31T20:31:30.000+08:00
diff --git a/clang/lib/StaticAnalyzer/Checkers/PointerAlignmentChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/PointerAlignmentChecker.cpp
@@ -268,7 +268,8 @@ int getTrailingZerosCount(const SVal &V, ProgramStateRef State,
 
   // Sealed capabilities cannot be dereferenced, and any type-punning
   // will be dynamically checked during unsealing.
-  if (V.getType(ASTCtx)->isCHERISealedCapabilityType(ASTCtx))
+  auto Ty = V.getType(ASTCtx);
+  if (!Ty.isNull() && Ty->isCHERISealedCapabilityType(ASTCtx))
     return -1;
 
   if (V.isConstant()) {
diff --git a/clang/test/Analysis/Checkers/CHERI/subobject-representability-mips64.c b/clang/test/Analysis/Checkers/CHERI/subobject-representability-mips64.c
@@ -34,3 +34,12 @@ struct R2 {
   char a[0x8000]; // expected-warning{{Field 'a' of type 'char[32768]' (size 32768) requires 64 byte alignment for precise bounds; field offset is 113 (aligned to 1); Current bounds: 64-32896}}
   char y[32]; // expected-note{{15/32}}
 };
+
+// Previously triggered a crash.
+struct a {
+  unsigned b;
+};
+void c(unsigned a::*d) {
+  d == &a::b;
+  c(&a::b);
+}
